Policing Traffic

It is critical that network resources are available to customers. When network resources are overloaded due to inadequate traffic management, you lose the benefits that a network provides. Controlling the flow of data across your network helps to ensure the efficiency of the network.

Policing is an important traffic regulation mechanism. Using policing, you can configure your system to more effectively handle traffic issues before they overload your network. Policing enables you to determine how traffic is managed by the network to avoid congestion and system inefficiencies, thereby increasing network availability and maximizing the use of bandwidth.

This chapter describes the policing capabilities of the Cisco 10000 series router. It includes the following topics:

Traffic Policing

Traffic policing is a traffic regulation mechanism that is used to limit the rate of traffic streams. Policing allows you to control the maximum rate of traffic sent or received on an interface. Policing propagates bursts of traffic and is applied to the inbound or outbound traffic on an interface. When the traffic rate exceeds the configured maximum rate, policing drops or remarks the excess traffic. Although policing does not buffer excess traffic, a configured queuing mechanism applies to conforming packets that might need to be queued while waiting to be serialized at the physical interface.

Traffic policing uses a token bucket algorithm to manage the maximum rate of traffic. This algorithm is used to define the maximum rate of traffic allowed on an interface at a given moment in time. The token bucket algorithm is especially useful in managing network bandwidth in cases where several large packets are sent in the same traffic stream. The algorithm puts tokens into the bucket at a certain rate. Each token is permission for the source to send a specific number of bits into the network. With policing, the token bucket determines whether a packet exceeds or conforms to the applied rate. In either case, policing implements the action you configure such as setting the IP precedence or differentiated services code point (DSCP). For more information about the token bucket, see the "Metering Traffic and Token Buckets" section.

Policing restricts the output rate to a maximum kilobits per second (kbps) value or to a percentage of the available or unused bandwidth. Policing does not provide a minimum bandwidth guarantee during periods of congestion; to provide these guarantees, you must use the bandwidth or priority command.

Policing is class-based in that the policer is applied to a specific class of traffic within a policy map by using the police command. When you attach the service policy to an interface, the router applies the policing action to the packets that match that class.

Feature History for Traffic Policing

Cisco IOS Release

Description

Required PRE

Release 12.0(17)SL

The traffic policing feature was introduced on the router and included a single-rate two-color policer.

PRE1

Release 12.0(25)S

This feature was enhanced to include a three-color marker.

PRE1

Release 12.2(16)BX

This feature was introduced on the PRE2.

PRE2

Release 12.3(7)XI

This feature was enhanced on the PRE2 to include a three-color marker.

PRE2

Release 12.2(27)SBB

This feature was enhanced on the PRE2 to include a two-rate policer.

PRE2

Release 12.2(31)SB2

This feature was introduced on the PRE3 to allow you to police traffic on the L2TP access concentrator (LAC) based on the value of a packet's IP DSCP bits. Control plane policing, policing of GRE tunnels, tunnel header marking using a police action, and ATM CLP bit marking using a police action were also introduced on the PRE3.

PRE3

Release 12.2(33)SB

This feature was introduced on the PRE4 and enhanced to support marking of the ATM CLP bit, Frame Relay DE bit, and CoS bit using a police action for the PRE2, PRE3, and PRE4.

PRE2, PRE3, PRE4

Policing Actions

Table 6-1 lists the actions the router can take on packets. These are the actions you specify in the police command.

Note In Table 6-1, the term transmit means that the packet is passed through the policer for further processing. The policer acts as a filter before the packet is passed on to the next event to happen.

Table 6-1 Policing Actions

Action

Description

Introduced in Cisco IOS Release

drop

Drops the packet.

This is the default action for traffic that exceeds or violates the committed rate.

Sets the class of service (CoS) bits of a packet and transmits the packet with the new CoS setting. Valid values are 0 to 7.

Release 12.2(33)SB

PRE2, PRE3, PRE4

set-cos-inner-transmit value

Sets the inner VLAN CoS bits and transmits the packet with the new CoS setting. Valid values are 0 to 7.

Note The router supports this policing action on QinQ interfaces only. We recommend that you do not configure this action in 3-level hierarchical policy maps attached to non-QinQ interfaces.

Release 12.2(33)SB

PRE2, PRE3, PRE4

set-discard-class-transmit

Sets the discard class attribute of a packet and transmits the packet with the new discard class setting.

Release 12.3(7)XI

PRE2

set-dscp-tunnel-transmit value

Sets the DSCP bits in the packet headers of traffic streams aggregated into the same tunnel. This enables the streams to receive a different level of QoS processing at the outer ToS field's QoS domain. Valid values are from 0 to 63 or one of the following reserved keywords:

•EF (expedited forwarding)

•AF11 (assured forwarding class AF11)

•AF12 (assured forwarding class AF12)

Release 12.2(31)SB2

PRE3

set-dscp-transmit value

Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value setting. Valid values are from 0 to 63.

Release 12.0(17)SL

PRE1

set-frde-transmit

Sets the Frame Relay discard eligibility (DE) bit and transmits the frame with the new DE setting.

Release 12.2(33)SB

PRE2, PRE3, PRE4

set-mpls-exp-transmitvalue

Sets the Multiprotocol Label Switching (MPLS) experimental (EXP) bits and transmits the packet with the new MPLS EXP bit value setting. Valid values are from 0 to 7.

Release 12.0(22)S

PRE1

set-mpls-exp-imposition-transmitvalue

Sets the MPLS experimental (EXP) bits in the imposed label headers and transmits the packet with the new MPLS EXP bit value setting. Valid values are from 0 to 7.

The set-mpls-exp-imposition-transmit command is available only on the PRE2 and replaces the set-mpls-exp-transmit command.

Release 12.3(7)XI

PRE2

set-prec-tunnel-transmitvalue

Sets the precedence bit in the packet headers of traffic streams aggregated into the same tunnel. This enables the streams to receive a different level of QoS processing at the outer ToS field's QoS domain. Valid values are from 0 to 7.

Release 12.2(31)SB2

PRE3

set-prec-transmit value

Sets the IP precedence and transmits the packet with the new IP precedence value setting. Valid values are from 0 to 7.

Release 12.0(17)SL

PRE1

set-qos-transmitvalue

Sets the QoS group value and transmits the packet with the new QoS group value setting. Valid values are from 0 to 99.

Release 12.0(17) SL

PRE1

transmit

Transmits the packet. The packet is not altered.

Release 12.0(17)SL

PRE1

Single-Rate Color Marker for Traffic Policing

The Cisco 10000 series router supports a single-rate color marker to police traffic streams into groups of conforming and nonconforming traffic. This marker is useful in marking packets in a packet stream with different, decreasing levels of assurances (either absolute or relative). The marker can mark packets with green, yellow, or red markings, which cause a specific action to occur. For example, a service might discard all red packets because they exceed both the committed and excess burst sizes, forward yellow packets as best effort, and forward green packets with a low drop probability.

The router provides two types of single-rate color markers: two-color and three-color.

•In all releases prior to Cisco IOS Release 12.0(25)S and Release 12.3(7)XI, the router provides a two-color marker. A two-color marker classifies traffic into two groups: traffic that conforms to the specified committed information rate (CIR) and burst sizes, and traffic that exceeds either the CIR or the burst sizes.

•In Cisco IOS Release 12.0(25)S and Release 12.3(7)XI, and later releases, the router adds support for an IETF-defined, RFC 2697-based, single rate, three-color marker by adding the ability to classify nonconforming traffic into a third group: traffic that violates the CIR. The three-color marker distinguishes between the nonconforming traffic that occasionally bursts a certain number of bytes more than the CIR and the traffic that continually violates the CIR allowance. Applications can utilize the three-color marker to provide three service levels: guaranteed, best effort, and deny.

The router maintains the behavior of the two-color marker by automatically setting the violate action to be the same as the exceed action (unless you configure the violate action). Therefore, you can continue to use the two-color marker. However, it is important to note that the router collects statistics for conforming, exceeding, and violating packets. Therefore, when verifying packet counts be sure to observe all three statistical categories to ensure an accurate count.

Feature History for the Single-Rate Color Marker

Cisco IOS Release

Description

Required PRE

Release 12.0(17)SL

The single-rate two-color marker feature was introduced on the router.

PRE1

Release 12.0(25)S

This feature was enhanced to include a single-rate three-color marker.

PRE1

Release 12.2(16)BX

This feature was introduced on the PRE2 and included a single-rate two-color marker.

PRE2

Release 12.3(7)XI

This feature was enhanced on the PRE2 and included a single-rate three-color marker.

PRE2

Release 12.2(28)SB

This feature was integrated in Cisco IOS Release 12.2(28)SB for the PRE2.

PRE2

Release 12.2(31)SB2

This feature was introduced on the PRE3 to allow you to police traffic on the L2TP access concentrator (LAC) based on the value of a packet's IP DSCP bits.

PRE3

Configuration Commands for the Single-Rate Color Marker

police Command (Single-Rate)

To configure traffic policing based on bits per second, use the police command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of this command. By default, this command is disabled.

Syntax Description

cir

(Optional) Committed information rate (CIR). Indicates an average rate at which the policer meters traffic. CIR is based on the interface shape rate.

bps

Specifies the average rate in bits per second (bps). Valid values are from 8,000 to 2,488,320,000 bps. If you only specify policebps, the router transmits the traffic that conforms to the bps value and drops the traffic that exceeds the bps value. For information on how the router calculates the policing rate, see the "Policing Rate Granularity" section.)

bc burst-normal

(Optional) Normal or committed burst (bc) size used by the first token bucket for policing. The burst-normal specifies the bc value in bytes. Valid values are from 1 to 512,000,000. The default is 9,216 bytes. For more information, see the "Committed Bursts and Excess Bursts" section.

be burst-excess

(Optional) Excess burst (be) size used by the second token bucket for policing. The burst-excess specifies the excess burst in bytes. Valid values are from 0 to 1,024,000,000 bytes. The default is 0. You must specify burst-normal before you specify burst-excess. For more information, see the "Committed Bursts and Excess Bursts" section.

Note When the be value equals 0, we recommend that you set the egress bc value to be greater than or equal to the ingress bc value plus 1. Otherwise, packet loss can occur. For example:

be = 0

egress bc >= ingress bc + 1

conform-actionaction

Specifies the action to take on packets that conform to the rate limit. The default action is transmit. You must specify burst-excess before you specify the conform-action.

exceed-actionaction

Specifies the action to take on packets that exceed the rate limit, but not the PIR. The default action is drop. You must specify the conform-action before you specify the exceed-action.

violate-actionaction

(Optional) Specifies the action to take on packets that continuously exceed the PIR rate limit. The default action is the same as the exceed-action. You must specify the exceed-action before you specify the violate-action.

See Table 6-1 for a description of each action you can specify in the police command.

police Command History

The police command was introduced on the PRE1 and included a single-rate two-color marker.

Release 12.0(22)S

This command was enhanced to include the set-mpls-exp-transmit policing action.

Release 12.0(25)S

This command was enhanced to include a three-color marker. A new violate-action parameter allows you to specify the action to take for traffic that consistently violates the committed rate.

Release 12.2(16)BX

This command was introduced on the PRE2 and included a single-rate two-color marker.

Release 12.3(7)XI

This command was enhanced on the PRE2 and included a three-color marker and the set-mpls-exp-imposition-transmit policing action. This action is available on the PRE2 only.

Release 12.2(28)SB

This command was integrated in Cisco IOS Release 12.2(28)SB for the PRE2.

Release 12.2(31)SB2

This command was introduced on the PRE3 to allow you to police traffic on the L2TP access concentrator (LAC) based on the value of a packet's IP DSCP bits. The set-frde-transmit policing action was also added for the PRE3.

Usage Guidelines for the police Command

A packet is classified as conforming (or of color green) if its size is at most the size of the normal or committed burst (bc) and within the allowance of the committed information rate (CIR).

A packet is classified as exceeding (or of color yellow) only if its size is greater than the allowance of the CIR, but is at most the number of bytes of the excess burst (be) and within the available surplus.

A packet is classified as violating (or of color red) only if its size is greater than both the CIR allowance and the available surplus, either because the packet's size exceeds the excess burst (be) size or because a previous packet used some of the surplus and the traffic since then has not slowed sufficiently to acquire the surplus needed for the current packet. The policer starts with a surplus equal to the excess burst (be) size and replenishes it by the amount of unused CIR allowance until the surplus reaches the be size.

The policer measures the committed burst size (CBS) and the excess burst size (EBS) in bytes. The Cisco IOS software converts the policing rate you enter in bits per second to bytes per millisecond. You must configure the CBS and EBS so that at least one of them is larger than 0.

When the be value equals 0, we recommend that you set the egress bc value to be greater than or equal to the ingress bc value plus 1. Otherwise, packet loss can occur. For example:

be = 0

egress bc >= ingress bc + 1

Two-Rate Three-Color Marker for Traffic Policing

The two-rate three-color marker improves bandwidth management by allowing you to police traffic streams according to two separate rates. Unlike the single-rate policer, which allows you to manage bandwidth by setting the excess burst size (be), the two-rate policer allows you to manage bandwidth by setting the committed information rate (CIR) and the peak information rate. Therefore, the two-rate policer supports a higher level of bandwidth management and a sustained excess rate. The two-rate policer also enables you to implement differentiated services (DiffServ) assured forwarding (AF) per-hop behavior (PHB) traffic conditioning (see the "Implementing DiffServ for End-to-End Quality of Service" section in the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.3).

The two-rate policer is often configured on interfaces at the edge of a network to limit the rate of traffic entering or leaving the network. In addition to rate-limiting traffic, the policer's three-color marker can mark packets according to whether the packet conforms (green), exceeds (yellow), or violates (red) a specified rate. You decide the actions you want the router to take for conforming, exceeding, and violating traffic. For example, you can configure conforming packets to be sent, exceeding packets to be sent with a decreased priority, and violating packets to be dropped. In most common configurations, traffic that conforms is sent and traffic that exceeds is sent with decreased priority or is dropped. You can change these actions according to your network needs.

With packet marking, you can partition your network into multiple priority levels or classes of service (CoS). For example, you can configure the two-rate three-color marker to do the following:

•Assign packets to a QoS group, which the router then uses to determine how to prioritize packets within the router.

•Set the IP precedence level, IP DSCP value, or the MPLS experimental value of packets entering the network. Networking devices within your network can then use this setting to determine how to treat the traffic. For example, a weighted random early detection (WRED) drop policy can use the IP precedence value to determine the drop probability of a packet.

•Set the ATM cell loss priority (CLP) bit in ATM cells. The ATM CLP bit is used to prioritize packets in ATM networks and is set to either 0 or 1. During congestion, the router discards cells with a CLP bit setting of 1 before it discards cells with a CLP bit setting of 0.

The three-color marker distinguishes between the nonconforming traffic that occasionally bursts a certain number of bytes more than the CIR and violating traffic that continually violates the PIR allowance. Applications can utilize the three-color marker to provide three service levels: guaranteed, best effort, and deny. The three-color marker is useful in marking packets in a packet stream with different, decreasing levels of assurances (either absolute or relative). For example, a service might discard all red packets because they exceed both the committed and excess burst sizes, forward yellow packets as best effort, and forward green packets with a low drop probability.

Note The router maintains the behavior of the two-color marker by automatically setting the violate action to be the same as the exceed action (unless you configure the violate action). Therefore, you can continue to use the two-color marker. However, it is important to note that the router collects statistics for conforming, exceeding, and violating packets. Therefore, when verifying packet counts be sure to observe all three statistical categories to ensure an accurate count.

The two-rate three-color marker uses a token bucket algorithm to manage the maximum rate of traffic. The token bucket algorithm can use the values you specify to determine the maximum rate of traffic allowed on an interface at a given moment in time. All traffic entering or leaving an interface affects the token bucket algorithm, depending on whether the two-rate policer is configured on an inbound or outbound interface. The token bucket algorithm is useful in managing network bandwidth when large packets are sent in the same traffic stream. For more information about the token bucket algorithm, see the "Metering Traffic and Token Buckets" section.

Configuration Commands for the Two-Rate Color Marker

police Command (Two-Rate)

To configure traffic policing using the committed information rate (CIR) and the peak information rate (PIR), use the police command in policy-map class configuration mode. To remove two-rate traffic policing from the configuration, use the no form of this command. By default, this command is disabled.

Syntax Description

cir cir

Committed information rate (CIR). Indicates an average rate at which the policer meters traffic. CIR is based on the interface shape rate. The cir specifies the CIR value in bits per second. Valid values are from 8000 to 2,488,320,000bits per second.

bc burst-normal

(Optional) Specifies the normal or committed burst (bc) size used by the first token bucket for policing. The burst-normal specifies the bc value in bytes. Valid values are from 1 to 512,000,000. The default is 9,216 bytes.

Peak information rate (PIR). Indicates the rate at which the second token bucket is updated. The pir specifies the PIR value in bits per second. Valid values are from 8000 to 2,488,320,000.

bepeak-burst

(Optional) Specifies the peak burst (be) size used by the second token bucket for policing. The peak-burst specifies the be value in bytes. The size depends on the interface used. Valid values are 0 to 1,024,000,000.

Note When the be value equals 0, we recommend that you set the egress bc value to be greater than or equal to the ingress bc value plus 1. Otherwise, packet loss can occur. For example:

be = 0

egress bc >= ingress bc + 1

conform-actionaction

(Optional) Specifies the action to take on packets that conform to the rate limit. The default action is transmit. You must specify burst-excess before you specify the conform-action.

exceed-actionaction

(Optional) Specifies the action to take on packets that exceed the rate limit, but not the PIR. The default action is drop. You must specify the conform-action before you specify the exceed-action.

violate-actionaction

(Optional) Specifies the action to take on packets that continuously exceed the PIR rate limit. The default action is the same as the exceed-action. You must specify the exceed-action before you specify the violate-action.

police Command History

The single-rate police command was enhanced on the PRE2 to allow you to configure two traffic policing rates: the committed information rate (CIR) and the peak information rate (PIR).

Release 12.2(31)SB2

This command was introduced on the PRE3 to allow you to police traffic on the L2TP access concentrator (LAC) based on the value of a packet's IP DSCP bits.

Usage Guidelines for the police Command

When the be value equals 0, we recommend that you set the egress bc value to be greater than or equal to the ingress bc value plus 1. Otherwise, packet loss can occur. For example:

be = 0

egress bc >= ingress bc + 1

Percent-Based Policing

Percent-based policing enables you to configure traffic policing as a percentage of the bandwidth of the network interface on which policing is applied. Configuring traffic policing based on bandwidth percentage enables you to use the same policy map for multiple interfaces with differing amounts of bandwidth.

Percent-based policing also allows you to specify burst sizes in milliseconds (ms). The router calculates the burst value in milliseconds based on the policing rate.

When you use a percent-based police command within a nested policy, the police percent is based on the nearest parent shape rate. If no parent shaping exists, the police percent is based on the link bandwidth. The router calculates the burst value in milliseconds (ms) based on the policing rate.

Percent-based policing supports two traffic policing rates if the parent policy map has only one class defined: the class-default class.The parent policy does only match-any matching when applying the class-default shaping rate.

Feature History for Percent-Based Policing

Cisco IOS Release

Description

Required PRE

Release 12.0(25)SX

The percent-based policing feature was introduced on the router.

PRE1

Release 12.3(7)XI

This feature was introduced on the PRE2.

PRE2

Release 12.2(28)SB

This feature was enhanced on the PRE2 to allow you to configure two traffic policing rates as a percentage: the committed information rate (CIR) and the peak information rate (PIR).

PRE2

Release 12.2(31)SB2

This feature was introduced on the PRE3 to allow you to police traffic on the L2TP access concentrator (LAC) based on the value of a packet's IP DSCP bits. The set-frde-transmit policing action was also added for the PRE3.

PRE3

police percent Command

To configure traffic policing on the basis of a percentage of bandwidth available on an interface, use the policepercent command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of the command. By default, this command is disabled.

Syntax Description

(Optional) Committed information rate (CIR). Indicates an average rate at which the policer meters traffic. CIR is based on the interface shape rate.

percentpercent

Indicates to use the percentage of available bandwidth specified in percent to calculate the CIR. Valid values are from 1 to 100.

bc normal-burst-in-msec

(Optional) Specifies the normal or committed burst size (CBS) that the first token bucket uses for policing traffic. Specify the CBS value in milliseconds (ms). Valid values are from 1 to 2000. The default value is the greater of 2 ms worth of bytes at the police rate or the network minimum transmission unit (MTU).

pirpir

(Optional) Peak information rate (PIR), expressed as a percentage. Indicates the rate at which the second token bucket is updated. Valid values are from 1 to 100.

Note When using percent-based policing, you must explicitly enter the PIR value.

be excess-burst-in-msec

(Optional) Specifies the excess burst size (EBS) that the second token bucket uses for policing traffic. Specify the EBS value in milliseconds (ms). Valid values are from 0 to 2000. The default value is zero (0). You must specify normal-burst-in msec before you specify excess-burst-in-msec.

Note Burst in milliseconds is based on the policing committed information rate (CIR).

conform-actionaction

(Optional) Specifies the action to take on packets that conform to the rate limit. The default action is transmit. You must specify a value for excess-burst-in-msec before you specify the conform-action.

exceed-actionaction

(Optional) Specifies the action to take on packets that exceed the rate limit, but not the PIR. The default action is drop. You must specify the conform-action before you specify the exceed-action.

violate-actionaction

(Optional) Specifies the action to take on packets that continuously exceed the PIR rate limit. The default action is the same as the exceed-action. You must specify the exceed-action before you specify the violate-action.

police percent Command History

This command was enhanced on the PRE2 to allow you to configure two traffic policing rates as a percentage: the committed information rate (CIR) and the peak information rate (PIR)

Release 12.2(31)SB2

This command was introduced on the PRE3 to allow you to police traffic on the L2TP access concentrator (LAC) based on the value of a packet's IP DSCP bits.

Usage Guidelines for the police percent Command

Percent-based policing supports two levels of policing if the parent policy map has only one class defined: the class-default class.The parent policy does only match-any matching when applying the class-default shaping rate.

Shaping affects the input and output policer. For example, if you configure a percent-based policer on an input interface and the output interface has a nested policy attached, the policing percentage is based on the outgoing shape rate.

You must explicitly enter the PIR when using percent-based policing.

Example

The following configuration polices Data traffic at 20 percent and sets the PIR to 25 percent.

Router(config)# policy-map Business

Router(config-pmap)# class Data

Router(config-pmap-c)# police percent 20 3 ms pir 25 10 ms

Control Plane Policing

The Cisco 10000 series router supports control plane policing in Cisco IOS Release 12.2(31)SB2 and later releases. The Control Plane Policing feature allows you to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets. This allows you to protect the control plane of the router against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.

For more information, see the Control Plane Policing, Release 12.2(31)SB2 feature module.

AToM Set ATM CLP Bit Using a Policer

The AToM Set ATM CLP Bit Using a Policer feature enables you to police and mark inbound ATM traffic before forwarding it onto Any Transport over MPLS (AToM) Layer 2 virtual private network (VPN) pseudowire. Using this feature, you can configure the police command to set the ATM cell loss priority (CLP) bit in the packet header. This bit indicates the drop priority of the ATM cell. During ATM network congestion, the router discards ATM cells with the CLP bit set to 1 before discarding cells with a CLP bit setting of 0.

The Set ATM CLP Bit Using a Policer feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of the ATM cells using the set-clp-transmit policing action occurs on the outbound interface. Therefore, when configuring this feature for AToM, you must attach a policy map that includes the set-clp-transmit action to the interface upon which the ATM VC terminates or, in other words, attach the policy map to the input interface of the PE.

The router supports the set-clp-transmit policing action in single-rate and dual-rate policing policies, and in hierarchical policies.

The router allows you to simultaneously configure the policing actions set-clp-transmit and set-mpls-exp-imposition-transmit in a single police command on the Layer 2 VPN inbound interface.

Feature History for Set ATM CLP Bit Marking As a Police Action

Cisco IOS Release

Description

Required PRE

Release 12.3(7)XI

This feature was introduced on the PRE2.

PRE2

Release 12.2(33)SB

This feature was introduced on the PRE3 and PRE4.

PRE3, PRE4

AToM Set FR DE as Police Action

The AToM Set FR DE as Police Action feature enables you to police and mark inbound Frame Relay traffic before forwarding it onto Any Transport over MPLS (AToM) Layer 2 virtual private network (VPN) pseudowire. Using this feature, you can configure the police command to set the Frame Relay discard eligibility (DE) bit in the packet header. This bit indicates the drop priority of the frame. During Frame Relay network congestion, the router discards frames with the DE bit set to 1 before discarding frames with a DE bit setting of 0.

The AToM Set FR DE as Police Action feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of frames using the set-frde-transmit policing action occurs on the outbound interface. Therefore, when configuring this feature, you must attach a policy map that includes the set-frde-transmit action to an input interface of the PE.

The router supports the set-frde-transmit policing action in single-rate and dual-rate policing policies, and in hierarchical policies.

The router allows you to configure the set-frde-transmit and set-mpls-exp-imposition-transmit policing actions in a single police command on Any Transport over MPLS (AToM) Layer 2 VPN inbound interfaces.

Feature History for AToM Set FR DE as Police Action

Cisco IOS Release

Description

Required PRE

Release 12.2(33)SB

This feature was introduced on the PRE2, PRE3, and PRE4.

PRE2, PRE3, PRE4

Set Layer 2 CoS as a Policer Action

The Set Layer 2 CoS as a Policer Action feature enables you to police and mark inbound VLAN and QinQ traffic before forwarding the traffic onto the outbound link. Using this feature, you can configure the police command to set the class of service (CoS) bits for VLAN traffic and to set the outer CoS bits for QinQ traffic. The 3-bit CoS field is part of the VLAN tag and indicates the priority level of the frame. IEEE 802.1p establishes eight levels of priority: 0 to 7.

This feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of frames using the set-cos-transmit policing action occurs on the outbound interface. Therefore, when configuring this feature, you must attach a policy map that includes the set-cos-transmit action to an outbound interface, not to an inbound interface.

The set-cos-transmit policing action marks the outer CoS bits. To configure marking of outer CoS bits, configure the police command and specify the set-cos-transmit policing action as a conform, exceed, or violate action.

The router supports set-cos-transmit as a three-color policing action in single-rate and dual-rate policing policies, and in hierarchical policies.

Feature History for Set Layer 2 CoS as Policer Action

Cisco IOS Release

Description

Required PRE

Release 12.2(33)SB

This feature was introduced on the router for the PRE2, PRE3, and PRE4.

PRE2, PRE3, PRE4

Set Inner CoS as a Policer Action

The Set Inner CoS as a Policer Action feature uses the police command to set the inner VLAN class of service (CoS) bits for QinQ traffic on the PRE2, PRE3, and PRE4. The 3-bit CoS field is part of the VLAN tag and indicates the priority level of the frame. IEEE 802.1p establishes eight levels of priority: 0 to 7

This feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of frames using the set-cos-inner-transmit policing action occurs on the outbound interface. Therefore, when configuring this feature, you must attach a policy map that includes the set-cos-inner-transmit action to an outbound interface, not to an inbound interface.

To configure marking of inner CoS bits, configure the police command and specify the set-cos-inner-transmit policing action as a conform, exceed, or violate action.

The router supports the set-cos-inner-transmit policing action in single-rate and dual-rate policing policies, and in hierarchical policies.

Feature History for Set Inner CoS as a Policer Action

Cisco IOS Release

Description

Required PRE

Release 12.2(33)SB

This feature was introduced on the router for the PRE2, PRE3, and PRE4.

PRE2, PRE3, PRE4

Set Inner and Outer CoS as a Policer Action

The Set Inner and Outer CoS as a Policer Action feature uses the police command to set the inner and outer VLAN class of service (CoS) bits for QinQ traffic on the PRE2, PRE3, and PRE4. The 3-bit CoS field is part of the VLAN tag and indicates the priority level of the frame. IEEE 802.1p establishes eight levels of priority: 0 to 7

This feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of frames using the set-cos-transmit and set-cos-inner-transmit policing actions occurs on the outbound interface. Therefore, when configuring this feature, you must attach a policy map that includes the both of these policing actions to an outbound interface, not to an inbound interface.

The set-cos-transmit policing action sets the outer CoS bits whereas the set-cos-inner-transmit action sets the inner CoS bits. To configure marking of both inner and outer CoS bits at the same time, you must specify both the set-cos-transmit and set-cos-inner-transmit policing actions in a single police command. You can specify these policing actions as conform, exceed, or violate actions.

The router supports simultaneous inner and outer CoS marking in single-rate and dual-rate policing policies, and in hierarchical policies.

Feature History for Set Inner and Outer CoS as a Policer Action

Cisco IOS Release

Description

Required PRE

Release 12.2(33)SB

This feature was introduced on the router for the PRE2, PRE3, and PRE4.

PRE2, PRE3, PRE4

Dual Police Actions

The router allows you to specify dual actions for conforming, exceeding, and violating traffic, one line at a time. After you provide the police rates, press Return to enter the policy-map-class-police configuration mode. While in this mode, you can configure the dual conform, exceed, and violate actions by entering an action keyword and action value, and pressing Return after each specified action. Valid combinations of dual actions are:

•set-clp-transmit and set-mpls-exp-imposition-transmit

•set-frde-transmit and set-mpls-exp-imposition-transmit

•set-cos-transmit and set-cos-inner-transmit

Note The router allows only the dual action combinations listed above and does not do error checking for these actions.

For example, you can specify the first conform-action as set-frde-transmit and the second conform-action as set-mpls-exp-imposition-transmit. If desired, you can then specify these same two actions as the action for the first and second exceed actions and for the two violate actions.

If you upgrade from a Cisco IOS software release that does not support dual police actions to a Cisco IOS release that supports dual police actions, the police command displays on a single line. If you configure each police action on a separate line and then downgrade to a Cisco IOS release that does not support dual actions, the router rejects the policer.

For backward compatibility, the router accepts the police command on a single line, but after entering the police command, the router enters policy-map-class-police configuration mode.

Feature History for Dual Police Actions

Cisco IOS Release

Description

Required PRE

Release 12.2(33)SB

This feature was introduced on the router for the PRE3 and PRE4.

PRE3, PRE4

Policing Support for GRE Tunnels

The Policing Support for GRE Tunnels feature allows you to set the Differentiated Services Code Point (DSCP) and IP precedence values on Generic Routing Encapsulation (GRE) tunnel packets.

This feature is essential for MPLS carriers to offer QoS on Multicast VPN services. Multicast VPN (MVPN) uses GRE tunnels between PE devices, and multicast packets are placed in GRE tunnels for transmission across the MPLS core network. The Policing Support for GRE Tunnels feature allows the GRE tunnel to reflect the underlying QoS of the multicast packets. Once the GRE packets accurately reflect the QoS markings of the underlying multicast packets, they may be queued accordingly as they travel across the core nodes.

Metering Traffic Using Token Buckets (Single-Rate Policer)

The router uses two token buckets to meter the traffic that passes through the system: conforming and exceeding. The router uses the first bucket to hold tokens that determine whether the committed information rate (CIR) is conforming (green) or exceeding (yellow). A traffic stream is conforming when the average number of bytes over time does not cause the bucket to overflow. The first bucket can hold bytes up to the size of the committed burst (bc) before overflowing.

A traffic stream exceeds the police rate when it causes the first token bucket to overflow into the second token bucket. When this occurs, the router marks the traffic stream yellow. The second token bucket is filled as long as the traffic exceeds the police rate.

The second token bucket can hold bytes up to the size of the excess burst (be) before overflowing. A traffic stream violates the police rate if the second token bucket overflows. When this occurs, the router marks the traffic stream red.

The router updates the tokens for both the conforming and exceeding token buckets based on the token arrival rate or the committed information rate (CIR). When a packet of a given size (for example, "B" bytes) arrives at specific time (time "T"), the following actions occur:

•The router updates the tokens in the conforming bucket. If the previous arrival of the packet was at the rate of T1 (1.544 Mbps) and the current arrival of the packet is at T, the router updates the bucket with T minus T1 worth of bits based on the token arrival rate. The router places refill tokens in the conforming bucket. If the tokens overflow the conforming bucket, the router places the overflow tokens in the exceeding bucket.

The router calculates the token arrival rate in the following way:

(time between packets * policer rate) / 8 bytes

where time between packets equals T - T1

•If the number of bytes in the conforming bucket is greater than or equal to 0, the packet conforms. The router removes the number of bytes of the packet from the conforming bucket and takes the conform action on the packet. In this scenario, the exceeding bucket is unaffected.

•If the number of bytes in the conforming bucket is less than 0, the router checks the exceeding bucket for bytes. If the number of bytes in the exceeding bucket is greater than or equal to 0, the router removes the number of bytes of the packet from the exceeding token bucket and takes the exceed action. The router does not remove bytes from the conforming bucket.

•If the number of bytes in the exceeding bucket is less than 0, the packet violates the rate and the router takes the violate action.

Metering Traffic Using Token Buckets (Two-Rate Policer)

The two-rate policer manages the maximum rate of traffic by using two token buckets: the committed token bucket and the peak token bucket. The dual-token bucket algorithm uses user-configured values to determine the maximum rate of traffic allowed on a queue at a given moment. In this way, the two-rate policer can meter traffic at two independent rates: the committed information rate (CIR) and the peak information rate (PIR).

The committed token bucket can hold bytes up to the size of the committed burst (bc) before overflowing. This token bucket holds the tokens that determine whether a packet conforms to or exceeds the CIR as the following describes:

•A traffic stream is conforming when the average number of bytes over time does not cause the committed token bucket to overflow. When this occurs, the token bucket algorithm marks the traffic stream green.

•A traffic stream is exceeding when it causes the committed token bucket to overflow into the peak token bucket. When this occurs, the token bucket algorithm marks the traffic stream yellow. The peak token bucket is filled as long as the traffic exceeds the police rate.

The peak token bucket can hold bytes up to the size of the peak burst (be) before overflowing. This token bucket holds the tokens that determine whether a packet violates the PIR. A traffic stream is violating when it causes the peak token bucket to overflow. When this occurs, the token bucket algorithm marks the traffic stream red.

The dual-token bucket algorithm provides users with three actions for each packet—a conform action, an exceed action, and an optional violate action. Traffic entering a queue with the two-rate policer configured is placed into one of these categories. Within these three categories, users can decide packet treatments. For instance, packets that conform can be configured to be sent; packets that exceed can be configured to be sent with a decreased priority; and packets that violate can be configured to be dropped.

Figure 6-1 shows how the two-rate policer marks a packet and assigns a corresponding action to the packet.

Figure 6-1 Marking Packets and Assigning Actions—2-Rate Policer

For example, if a data stream with a rate of 250 kbps arrives at the two-rate policer, and the CIR is 100 kbps and the PIR is 200 kbps, the policer marks the packet in the following way:

•100 kbps conforms to the rate

•100 kbps exceeds the rate

•50 kbps violates the rate

The router updates the tokens for both the committed and peak token buckets in the following way:

•The router updates the committed token bucket at the CIR value each time a packet arrives at the interface. The committed token bucket can contain up to the committed burst (bc) value.

•The router updates the peak token bucket at the PIR value each time a packet arrives at the interface. The peak token bucket can contain up to the peak burst (be) value.

•When an arriving packet conforms to the CIR, the router takes the conform action on the packet and decrements both the committed and peak token buckets by the number of bytes of the packet.

•When an arriving packet exceeds the CIR, the router takes the exceed action on the packet, decrements the committed token bucket by the number of bytes of the packet, and decrements the peak token bucket by the number of overflow bytes of the packet.

•When an arriving packet exceeds the PIR, the router takes the violate action on the packet, but does not decrement the peak token bucket.

Committed Bursts and Excess Bursts

Unlike a traffic shaper, a traffic policer does not buffer excess packets and transmit them later. Instead, the policer executes a "send or do not send" policy without buffering. During periods of congestion, proper configuration of the excess burst parameter enables the policer to drop packets less aggressively. Therefore, it is important to understand how policing uses the committed (normal) and excess burst values to ensure the router reaches the configured committed information rate (CIR).

Burst parameters are based on a generic buffering rule for routers, which recommends that you configure buffering to be equal to the round-trip time bit-rate to accommodate the outstanding TCP windows of all connections in times of congestion.

The following sections describe committed bursts and excess bursts, and the recommended formula for calculating each of them:

Committed Bursts

The committed burst (bc) parameter of the police command implements the first, conforming (green) token bucket that the router uses to meter traffic. The bc parameter sets the size of this token bucket. Initially, the token bucket is full and the token count is equal to the committed burst size (CBS). Thereafter, the meter updates the token counts the number of times per second indicated by the committed information rate (CIR).

The following describes how the meter uses the conforming token bucket to send packets:

•If sufficient tokens are in the conforming token bucket when a packet arrives, the meter marks the packet green and decrements the conforming token count by the number of bytes of the packet.

•If there are insufficient tokens available in the conforming token bucket, the meter allows the traffic flow to borrow the tokens needed to send the packet. The meter checks the exceeding token bucket for the number of bytes of the packet. If the exceeding token bucket has a sufficient number of tokens available, the meter marks the packet:

a. Green and decrements the conforming token count down to the minimum value of 0.

b. Yellow, borrows the remaining tokens needed from the exceeding token bucket, and decrements the exceeding token count by the number of tokens borrowed down to the minimum value of 0.

•If an insufficient number of tokens is available, the meter marks the packet red and does not decrement either of the conforming or exceeding token counts.

Note When the meter marks a packet with a specific color, there must be a sufficient number of tokens of that color to accommodate the entire packet. Therefore, the volume of green packets is never smaller than the committed information rate (CIR) and committed burst size (CBS). Tokens of a given color are always used on packets of that color.

The default committed burst size is the greater of 2 milliseconds of bytes at the police rate or the network maximum transmission unit (MTU).

Committed Burst Calculation

To calculate committed burst, use the following formula:

bc = CIR bps * (1 byte) / (8 bits) * 1.5 seconds

Note 1.5 seconds is the typical round-trip time.

For example, if the committed information rate is 512000 bps, then using the committed burst formula, the committed burst is 96000 bytes.

bc = 512000 * 1/8 * 1.5

bc = 64000 * 1.5 = 96000

Note When the be value equals 0, we recommend that you set the egress bc value to be greater than or equal to the ingress bc value plus 1. Otherwise, packet loss can occur. For example: be = 0egress bc >= ingress bc + 1

Excess Bursts

The excess burst (be) parameter of the police command implements the second, exceeding (yellow) token bucket that the router uses to meter traffic. The exceeding token bucket is initially full and the token count is equal to the excess burst size (EBS). Thereafter, the meter updates the token counts the number of times per second indicated by the committed information rate (CIR).

The following describes how the meter uses the exceeding token bucket to send packets:

•When the first token bucket (the conforming bucket) meets the committed burst size (CBS), the meter allows the traffic flow to borrow the tokens needed from the exceeding token bucket. The meter marks the packet yellow and then decrements the exceeding token bucket by the number of bytes of the packet.

•If the exceeding token bucket does not have the required tokens to borrow, the meter marks the packet red and does not decrement the conforming or the exceeding token bucket. Instead, the meter performs the exceed-action configured in the police command (for example, the policer drops the packets).

Excess Burst Calculation

To calculate excess burst, use the following formula:

be = 2 * committed burst

For example, if you configure a committed burst of 4000 bytes, then using the excess burst formula, the excess burst is 8000 bytes.

be = 2 * 4000 = 8000

The default excess burst size is 0.

Deciding if Packets Conform or Exceed the Committed Rate

Policing uses normal or committed burst (bc) and excess burst (be) values to ensure that the configured committed information rate (CIR) is reached. Policing decides if a packet conforms or exceeds the CIR based on the burst values you configure. Several factors can influence the policer's decision, such as the following:

•Low burst values—If you configure burst values too low, the achieved rate might be much lower than the configured rate.

•Temporary bursts—These bursts can have a strong adverse impact on throughput of Transmission Control Protocol (TCP) traffic.

It is important that you set the burst values high enough to ensure good throughput. If your router drops packets and reports an exceeded rate even though the conformed rate is less than the configured CIR, use the show interface command to monitor the current burst, determine whether the displayed value is consistently close to the committed burst (bc) and excess burst (be) values, and if the actual rates (the committed rate and exceeded rate) are close to the configured committed rate. If not, the burst values might be too low. Try reconfiguring the burst rates using the suggested calculations in the "Committed Burst Calculation" section and the "Excess Burst Calculation" section.

Data Included in the Policing Rate

Table 6-2 describes the data included and excluded in the policing rate.

Be sure to take into account the framing and cell overhead when specifying a minimum bandwidth for a class. For example, if you need to commit a rate of 1000 64-byte packets per second and each packet has 4 bytes of framing overhead, instead of using 512 kbps in the bandwidth or police command, use 544 kbps, calculated as follows:

1000 * (64 + 4) * 8 /1000 = 544

A similar scenario for ATM requires 848 kbps because each 64-byte packet requires two cells of 53 bytes.

1000 * 2 * 53 * 8 / 1000 = 848

Policing Rate Granularity

Policing

•The router converts the policing rate you specify in bits per second to 8,000-byte increments. When you specify a policing rate, the router rounds the rate up or down to the nearest multiple of 8000.

For example, if you request 127,000 bps, the router rounds up to 128,000 bps; for 124,000 bps, the router rounds up to 128,000 bps; and for 123,999 bps the router rounds down to 120,000 bps.

Percent-Based Policing

•The committed information rate (CIR) is based on a percentage of the maximum amount of bandwidth available on the interface.

•For percent-based policing, the burst value in milliseconds is based on the policing rate.

•Within a nested policy, the police percentage is based on the nearest parent shape rate. If no parent shaping exists, the police percentage is based on the link bandwidth.

Avoiding Bandwidth Starvation Due to Priority Services

The Cisco 10000 series router services priority traffic at near line rate to ensure that traffic is handled with minimal delay. The router gives preference to the priority class over other class queues on a traffic link. Unless the priority class contains a police command, the router does not police the priority traffic to its configured rate and the router does not discard excess priority traffic. As a result, excess priority traffic might cause additional packet delay and other queues on the link might experience bandwidth starvation.

To prevent the priority queue from starving the other queues, use the police command with the priority command. To ensure the committed rate of the priority queue, you must set the exceed and violate actions of the police command to drop. You can use the bandwidth command on the other queues on the link to create one or more queues with guaranteed bandwidth.

Example 6-1 shows how to configure the priority and police commands for a priority class:

Bandwidth and Policing

The police command allows you to police the traffic that passes through the router. You can configure traffic policing in bits per second (bps) or as a percentage of bandwidth of the network interface on which policing is applied. Configuring traffic policing based on bandwidth percentage enables you to use the same policy map for multiple interfaces with differing amounts of bandwidth.

To configure traffic policing on the basis of a percentage of bandwidth available on an interface, use the policepercent command in policy-map class configuration mode. The police percent command calculates the CIR based on a percentage of the maximum amount of bandwidth available on the interface. When you attach a policy map to an interface, the router calculates the equivalent CIR values in bits per second (bps) based on the interface bandwidth and the percentage you entered for the police percent command.

The police percent command also allows you to optionally specify values for the conform burst size and the peak burst size in bytes per millisecond. If you specify the burst sizes, be sure to specify the size in milliseconds.

If the interface bandwidth changes (for example, more is added), the router recalculates the bps values of the CIR based on the revised amount of bandwidth. If you change the CIR percentage after you attach the policy map to the interface, the router recalculates the bps value of the CIR.

When you use a percent-based police command within a nested policy, the police percentage is based on the policy's topmost, class-default, shape rate. Otherwise, the police percentage is based on the bandwidth of the network interface on which the police command is applied.

In a hierarchical policy, the police percent command uses the maximum rate of bandwidth available as the reference point for calculating the bandwidth percentage. Within a nested policy, the police percent is based on the policy's topmost, class-default, shape rate. Otherwise, the police percent is based on the bandwidth of the network interface on which the police command is applied.

When the police percent command is configured in a child (secondary-level) policy map, the police percent command uses the bandwidth amount specified in the next higher-level policy, which in this case is the parent (primary-level) policy map. The police percent command always looks to the next higher level for the bandwidth reference point.

Restrictions and Limitations for Traffic Policing

•You can configure a maximum of 131,072 (PRE1) or 262,144 (PRE2) policing instances.

•The router supports the set-cos-inner-transmit policing action only on QinQ subinterfaces. If you configure this policing action in a flat policy map or a 2-level hierarchical policy and attach the policy to an interface that is not a QinQ subinterface, the router displays an error message. However, if you configure the set-cos-inner--transmit action in a 3-level policy map and attach the policy to a non-QinQ subinterface, no error message displays and the router appears to accept the policy. Therefore, we recommend that you do not use the set-cos-inner-transmit policing action in a 3-level policy map attached to non-QinQ subinterfaces.

•The router supports the set-clp-transmit and set frde-transmit police actions on the ingress for an Any Transport over MPLS (AToM) Layer 2 VPN (L2VPN) configuration only.

•The router supports only the following combinations of dual actions on the AToM L2VPN ingress:

–set-clp-transmit and set-mpls-exp-imposition-transmit

–set-frde-transmit and set-mpls-exp-imposition-transmit

•The router does not perform extensive error checking to reject invalid combinations of dual actions. If you provide unsupported combinations, the results may be unpredictable.

•On the PRE3 and PRE4, the router enters policy-map-class-police configuration mode after you enter the police command, regardless of whether the command specifies a single action or dual actions.

•On the PRE3 and PRE4, when specifying multiple actions, the router displays each action on a separate line.

Configuring Traffic Policing

To configure traffic policing, perform any of the following configuration tasks:

Configuration Example for Configuring a Single Policing Rate and Burst Sizes

Example 6-3 shows how to configure a policing rate for the class named group1 in the policy map named police. In the example, the router polices group1 traffic at 8000 bits per second and allows committed bursts of 2000 bytes and excess bursts of 4000 bytes.

Example 6-3 Configuring a Policing Rate Based on Bits per Second

Router(config)# class-map group1

Router(config-cmap)# match access-group 2

Router(config-cmap)# exit

Router(config)# policy-map police

Router(config-pmap)# class group1

Router(config-pmap-c)# police 8000 2000 4000

Router(config-pmap-c)# exit

Router(config-pmap)# exit

Router(config)# interface atm 1/0/0.1 point-to-point

Router(config-subif)# service-policy input police

Configuration Example for Configuring Single-Rate Two-Color Policing

Example 6-4 shows how to configure single-rate two-color policing that includes actions for conforming and exceeding traffic. In the example, policing is configured for the class named Group1 in the policy map named Premium. The router polices Group1 traffic at 8,000,000 bits per second and allows committed bursts of 4000 bytes and excess bursts of 6000 bytes. The router transmits Group1 traffic that conforms to the normal or committed rate and sets the precedence-transmit value to 2 for Group1 traffic that exceeds the burst sizes. The router polices Group2 traffic at 4,000,000 bits per second and allows committed bursts of 2000 bytes and excess bursts of 5000 bytes. The router transmits Group2 traffic that conforms to the policing rate and sets the dscp-transmit value to 5 for Group2 traffic that exceeds the burst sizes.

Example 6-5 shows how to configure single-rate three-color policing that includes actions for conforming, exceeding, and violating traffic. In the example, policing is configured for the classes named Bronze and Silver in the policy map named Policy_0. The router polices Bronze traffic at 4,000,000 bits per second and allows normal or committed bursts of 5000 bytes and excess bursts of 2000 bytes. The router transmits Bronze traffic that conforms to the policing rate, sets the precedence-transmit value to 2 for Bronze traffic that exceeds the burst sizes, and drops Bronze traffic that violates the policing rate. The router polices Silver traffic at 8,000,000 bits per second and allows committed bursts of 6000 bytes and excess bursts of 4000 bytes. The router transmits Silver traffic that conforms to the policing rate, drops Silver traffic that exceeds the burst sizes, and drops Silver traffic that violates the policing rate.

Configuration Example for Policing a Priority Service

Example 6-6 shows how to configure the police command for a priority service. In the example, the priority class named Priority-Class is configured in the policy map named Gold. The router polices Priority-Class traffic at 10200 bits per second and allows committed bursts of 1000 bytes and excess bursts of 500 bytes. The router transmits Priority-Class traffic that conforms to the policing rate, drops Priority-Class traffic that exceeds the burst sizes, and drops Priority-Class traffic that violates the policing rate.

Configuration Example for Configuring Single-Rate Policing in a Hierarchical Policy

Example 6-7 shows how to configure a hierarchical policy named Parent-Policy and attach it to VLAN 2 (as indicated in the encapsulation dot1q 2 command) on the Gigabit Ethernet subinterface 1/0/0.1. In the Parent-Policy class-default class, bandwidth is shaped to 512 kbps. The policy map named Child-Policy is applied to the Parent-Policy. After the router shapes the bandwidth to 512 kbps as indicated in class-default, the router then polices Group1 and Group2 traffic configured in the policy map named Child-Policy. The router polices Group1 traffic at 12000 bits per second and allows committed bursts of 500 bytes and excess bursts of 1000 bytes. The router polices Group2 traffic at 8000 bits per second and allows committed bursts of 4000 bytes and excess bursts of 2000 bytes. The router performs three-color policing on both Group1 and Group2 traffic.

Configuration Example for Policing PPPoE over ATM Sessions

Example 6-8 shows how to create a policy map named Group1 and associate it with a virtual template interface named Virtual-Template 1. In the example, the router polices the Gold traffic at 8000 bits per second and allows committed bursts of 4000 bytes and excess bursts of 2000 bytes. The router polices the Bronze traffic at 5000 bits per second and allows committed bursts of 2000 bytes and excess bursts of 1000 bytes. The router performs three-color policing on the Gold traffic and two-color policing on the Bronze traffic.

When PPPoE sessions arrive on an interface, the protocol pppoe command configured on the interface points to a broadband aggregation (BBA) group, which references a virtual template that the router uses to create the virtual access interface (VAI) for the session. The router applies the QoS policy attached to the virtual template to the session.

Configuration Example for Configuring Percent-Based Policing

Example 6-9 shows how to configure percent-based policing. In the example, the class named Premium is configured in the policy map named Test. The Premium class is a priority class with a queue depth of 32. The router allocates 5 percent of the committed rate to Premium traffic and allows burst sizes of 2 ms for both committed and excess bursts.

Example 6-10 shows how to configure two-color percent-based policing. In the example, policing is configured for the classes named Voice and Test in the policy map named Premium. The router allocates 10 percent of the committed rate to voice traffic and allows burst sizes of 2 ms. The router transmits Voice traffic that conforms to the committed rate and sets the precedence-transmit value to 2 for Voice traffic that exceeds the burst sizes. The router allocates 5 percent of the committed rate to Test traffic and allows committed bursts of 4 ms and excess bursts of 2 ms. The router transmits Test traffic that conforms to the committed rate and drops Test traffic that exceeds the burst sizes.

Example 6-11 shows how to configure three-color percent-based policing. In the example, policing is configured for the class named Bronze in the policy map named Policy_0. The router allocates 10 percent of the committed rate to Bronze traffic and allows burst sizes of 2 ms. The router transmits Bronze traffic that conforms to the committed rate, sets the precedence-transmit value to 2 for Bronze traffic that exceeds the burst sizes, and drops Bronze traffic that violates the committed rate. For the Silver class, the router polices Silver traffic at 8,000,000 bits per second and allows committed bursts of 4000 bytes and excess bursts of 6000 bytes. The router transmits Silver traffic that conforms to the committed rate, sets the QoS transmit value to 4 for Silver traffic that exceeds the burst sizes, and drops Silver traffic that violates the committed rate.

Configuration Example for Configuring Percent-Based Policing in a Hierarchical Policy

Example 6-12 shows how to configure a hierarchical policy and attach it to PVC 5/101. The router first shapes the bandwidth to 512000 bits per second as indicated in the Parent policy class-default class. The router then polices the Bronze and Gold classes in the policy-map named Child. The router allocates 30 percent of the committed rate to the Bronze traffic and allows committed bursts of 6 ms and excess bursts of 4 ms. The router transmits Bronze traffic that conforms to the committed rate and drops Bronze traffic that exceeds the burst sizes. The router polices Gold traffic at 8000 bits per second and allows committed bursts of 2000 bytes and excess bursts of 4000 bytes. The router transmits Gold traffic that conforms to the committed rate and sets the QoS transmit value to 4 for traffic that exceeds burst sizes.

Configuration Example for Percent-Based Policing of a Priority Service

Example 6-13 shows how to configure the police percent command for a priority service. In the example, the priority class named Voice is configured in the policy map named New-Traffic. The router allocates 25 percent of the committed rate to Voice traffic and allows committed bursts of 4 ms and excess bursts of 1 ms. The router transmits Voice traffic that conforms to the committed rate, sets the QoS transmit value to 4 for Voice traffic that exceeds the burst sizes, and drops Voice traffic that violates the committed rate.

Configuration Example for Configuring Two-Rate Three-Color Policing

Example 6-14 shows how to configure two-rate three-color policing for the Premium traffic class in the policy map named Business. In the example, the committed information rate (CIR) is 512 kbps and the peak information rate (PIR) is 1 Mbps. Traffic that conforms to the CIR is sent as is. Traffic that exceeds the CIR, but not the PIR is marked with IP precedence 4. Traffic that exceeds the PIR is dropped. The burst parameters are set to 10,000 bytes.

action specifies the policing action, such as set-clp-transmit, set-frde-transmit, set-cos-transmit, or set-cos-inner-transmit. Valid values for these actions are 0 to 7. For more information about the actions you can specify, see Table 6-1.

Configuration Example for Marking Traffic Using Police Actions

Example 6-15 shows how to configure conform, exceed, and violate actions in the police command. In the example configuration, traffic is policed at 8000 bps with the normal burst size set to 2000 bytes and the peak burst size set to 1000 bytes. Traffic whose rate is less than the conform burst rate has the CLP bit set to 1; traffic whose rate is within the conform and conform plus exceed burst rate has the CoS bits set to 3; and traffic whose rate is higher than the conform plus exceed rate has the CoS bits also set to 3.

Configuration Example for Configuring Dual Police Actions

Example 6-16 shows how to configure the dual police actions set-clp-transmit and set-mpls-exp-imposition-transmit. The example configures set-clp-transmit and set-mpls-exp-transmit as the conform action and set-clp-transmit and set-mpls-exp-transmit as the exceed and violate actions.

The following example shows how to configure set-frde-transmit and set-mpls-exp-imposition-transmit as the conform action and set-frde-transmit and set-mpls-exp-imposition-transmit as the exceed and violate actions.

policy-map frde

class class-default

police 100000 100 10 conform-action set-frde-transmit

conform-action set-mpls-exp-imposition-transmit 1

exceed-action set-frde-transmit

exceed-action set-mpls-exp-imposition-transmit 2

violate-action set-frde-transmit

violate-action set-mpls-exp-imposition-transmit 3

The following shows sample output from the show policy-map command:

Router# show policy-map frde

Policy Map frde

Class class-default

police 104000 100 10

conform-action set-frde-transmit

conform-action set-mpls-exp-imposition-transmit 1

exceed-action set-frde-transmit

exceed-action set-mpls-exp-imposition-transmit 2

violate-action set-frde-transmit

violate-action set-mpls-exp-imposition-transmit 3

The following shows sample output from the show running-config command:

Router# show running-config | begin frde

|show running-config begin frde

class class-default

police 104000 100 10

conform-action set-frde-transmit

conform-action set-mpls-exp-imposition-transmit 1

exceed-action set-frde-transmit

exceed-action set-mpls-exp-imposition-transmit 2

violate-action set-frde-transmit

violate-action set-mpls-exp-imposition-transmit 3

If the policy map is attached to Frame Relay DLCI 101 that is configured for Layer 2 VPN, the output from the show policy-map interface command displays the following information:

Router# show policy-map serial4/0/0.1

Serial4/0/0.1: DLCI 101 -

Service-policy input: frde

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

0 packets, 0 bytes

5 minute rate 0 bps

Police:

104000 bps, 100 limit, 10 extended limit

conformed 0 packets, 0 bytes; action:

set-frde-transmit

set-mpls-exp-imposition-transmit 1

exceeded 0 packets, 0 bytes; action:

set-frde-transmit

set-mpls-exp-imposition-transmit 2

violated 0 packets, 0 bytes; action:

set-frde-transmit

set-mpls-exp-imposition-transmit 3

Configuration Example of the set-cos-transmit Police Action

The following example shows how to configure the set-cos-transmit police action on the PRE2. In the example, the traffic class group2 is policed at 20000 bps with a normal burst of 100 bytes. Traffic that conforms to the rate is transmitted; traffic that exceeds the rate has the CoS bits set to 3; and traffic that violates the rate has the CoS bits set to 4.

On the PRE3, output from the show running-config command is the same as the above sample output, except that the priority command configured in class c0 displays as priority levellevel-number.

On the PRE2 and PRE3, the show policy-map interface commands displays the set-cos-transmit action and corresponding value when configured as a police action in a policy map.

Verifying and Monitoring Traffic Policing

The Cisco 10000 series router collects information about the number of conforming, exceeding, and violating packets and bytes.

To verify and monitor traffic policing, enter any of the following commands in privileged EXEC mode:

Command

Purpose

Router# show policy-map

Displays statistical and configuration information about all of the configured policy maps.

Router# show policy-mappolicy-map-name

Displays statistical and configuration information about the policy map you specify.

Router# show policy-map interface interface

Displays statistical and configuration information about all of the input and output policy maps attached to the interface you specify.

For Cisco IOS Release 12.2(33)SB and later releases, if the policy map attached to an interface has the police command configured in it, the output from the show policy-map interface command displays the police actions in a new line.

Verifying Policing for a Specific Traffic Class

The following example shows how to verify policing for a specific traffic class in a policy map. In this example, the Bronze class in the Child policy map is policed at 30 percent of the available bandwidth. The committed burst is 6 ms and the excess burst is 4 ms.

Verifying Policing on a Specific Interface

The following example uses the show policy-map interface command to verify traffic policing on the ATM 3/0/0.3 subinterface. The QoS policy attached to PVC 5/101 on ATM subinterface 3/0/0.3 is a hierarchical policy that consists of a Parent policy and a Child policy. The Bronze class is policed at 600,000 bps and the Gold class is policed at 8000 bps.

The following shows sample output from the show policy-map command on the PRE3 and PRE4. In the example, the class-default class is configured for dual police actions: set-clp-transmit and set-mpls-exp-transmit.

Router# show policy-map clp

Policy Map clp

Class class-default

police 104000 100 10

conform-action set-clp-transmit

conform-action set-mpls-exp-transmit 1

exceed-action set-clp-transmit

exceed-action set-mpls-exp-transmit 2

violate-action set-clp-transmit

violate-action set-mpls-exp-transmit 3

Related Documentation

This section provides hyperlinks to additional Cisco documentation for the features discussed in this chapter. To display the documentation, click the document title or a section of the document highlighted in blue. When appropriate, paths to applicable sections are listed below the documentation title.